© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Jamie,
I'm attaching the patch that I've tested and verified works here for me. I sanitize the environment using env -i, and hardcode PATH to the values I pulled from /etc/login.
I discussed this with someone in IRC (Kees? Steve? You? Sorry, I don't recall who) back in December 2010, and whomever I showed this to didn't like it. They wanted a fork/exec approach instead, which I didn't have time to implement. At that point, I unassigned myself from the bug.
To test, I added $HOME/bin to the path of user 'kirkland'. I added a shell script, $HOME/bin/uname which does a "date >> /root/howdy". I then added "session optional pam_motd.so" to the end of /etc/pam.d/su. All of this as the reported suggested.
Before applying my patch, I would su and definitely see the file /root/howdy created (verifying the vulnerability). After applying and installing my patch, I would not see /root/howdy created. As far as I could tell, the rest of the update-motd part of pam_motd seemed to work correctly without regression.
If the attached patch is acceptable, then feel free to assign this bug back to me, and I'll prepare SRUs, and upload to Oneiric.
If the attached patch is unacceptable, then I politely request that the dissatisfied parties attached a preferred diff.
Thanks,
:-Dustin